首页 > 系统 > Linux >

LinuxCBT_Deb5x_Edition_Notes

2011-08-05

###LinuxCBT Deb5x Edition###Topology -> Docs directoryFeatures:1. Multiple platform support: i386, PowerPC, Sparc, MIPS, S390, AMD64, Intel64, IA-64, etc.2. Obtainable via: HTT...

###LinuxCBT Deb5x Edition###

Topology -> Docs directory

Features:

1. Multiple platform support: i386, PowerPC, Sparc, MIPS, S390, AMD64, Intel64, IA-64, etc.

2. Obtainable via: HTTP, FTP, JIGDO, BitTorrent, CD/DVD

3. Open Source - freely available

4. Ships with thousands of packages

Tasks:

1. Download the various DVD ISO images:

' for i in `seq 5`; do wget http://cdimage.debian.org/debian-cd/5.0.4/i386/iso-dvd/debian-504-i386-DVD-$i.iso; done '

2. Confirm the MD5SUMS of downloaded ISOs

3. Prep the VMWare environment

a. https://192.168.75.50:8333

b. Create Virtual Machine

c. Move Debian ISO images beneath top-level container that VMWare references

4. Install Debian on VMWare - from RedHat Enterprise 5x

a. Installed in full-screen, text mode

b. selected single, non-LVM, non-encrypted partition option:

b1. / - 4GB - (/etc, /usr, /var, /home, /boot (linux kernel is here) ...)

b2. swap - 250MB

5. Upgrade Debian4x -> Debian5x

a. Reclamation of existing VMWare instance, that was not in the inventory

Note: This may become our target instance

6. Install Debian via PXE

a. Download netboot.tar.gz - provides PXE code for network installation

b. 'cd /tftpboot && tar -xzvf netboot.tar.gz'

c. Configure Cisco Router DHCP server to servce 'pxelinux.0' file to client

Note: You may restrict the 'pxelinux.0' option to specific hosts and/or groups using DHCP configuration - reservations

!

ip dhcp pool linuxcbtwin1

host 192.168.75.101 255.255.255.0

hardware-address 0011.115b.7053

client-name linuxcbtwin1

!

ip dhcp pool DEFAULT75

import all

network 192.168.75.0 255.255.255.0

bootfile pxelinux.0

next-server 192.168.75.50

dns-server 68.94.156.1 68.94.157.1

option 150 ip 10.1.50.2

default-router 192.168.75.1

lease 30

!

Note: 2 Key options for PXE booting

'bootfile pxelinux.0' - PXE boot client

'next-server 192.168.75.50' - TFTPD

Note: TFTPD & DHCPD servers may be the same or different

Note: NetInstall mode eventually attmpts to pull the code for the OS from a valid mirror.

You may configure an internal mirror for your organization and point the installer there.

###Linux Boot Sequence###

Features:

1. Boot process Linux systems take to enter usable mode: 1-5

1. BIOS (indicates bootable hard drive)

2. Grand Unified Boot Loader (GRUB) -> MBR of primary HD

3. INITRD (includes drivers for hardware connected to your system)

4. Kernel (detects hardware) -> mounts '/' - root file system

5. INIT (propels your system into a usable state) - RunLevels

RunLevels: 0-6

0 -> halt

1 -> single-user mode, without concern for contending I/O

2(Debian Default) - 5 -> multi-user run-levels - networking

6 -> reboot

###Rescue - Boot Problems###

Problems:

1. GRUB

a. '/boot/grub/menu.lst' - changed (hd0,0) to (hd1,0) and (hd0,1), then fixed via runlevel 1

2. INITRD

a. Corrupt the file by breaking dependency - renamed initrd.img*

b. Forced a boot by editing GRUB menu to use new INITRD file name

3. INIT

a. Corrupt: /etc/inittab

4. Rescue Mode - Installation detection facility

###Basic Linux Commands###

Features:

1. Numerous small commands that specialize in discrete functions

Tasks:

1. Explore important commands

a. 'whoami'

b. 'id' - includes info from: 'whoami' as well as uid|gid info.

c. 'pwd' - reveals current working directory based on the maintenance of 2 vars:

c1. 'echo $PWD' - stores the current directory

c2. 'echo $OLDPWD' - stores most recently visited directory

d. 'cd' - changes directory - 'cd $OLDPWD'

d1. 'cd' - with no options, places us in our $HOME directory

Note: The following directory entries:

'.' - references the current directory

'..' - references the parent directory

e. 'ls' - lists files

e1. 'ls -l' - lists files in long format

e2. 'ls -li' - lists files in long format with INODE information

e3. 'ls -al' - reveals hidden files

Note: Nix-based systems prefix hidden files with a '.'

e4. 'ls -ld' - reveals attributes of directory entry

f. 'touch' - creates file if non-existent, otherwise updates timestamp info.

g. 'stat' - reveals FS information about a file

h. '!command' - invokes the most recent invocation of a command from the command history

i. 'echo' - prints what you tell it to

j. 'cat' - catenates content to STDOUT by default

j1. 'cat test.txt' - dumps file to STDOUT

j2. 'cat test.txt test2.txt' - catenates test.txt , then, test2.txt to STDOUT

k. 'mkdir' - creates directories

l. 'rmdir' - removes directories

m. 'rm -rf' - removes recursively ANY file entry

n. 'export VAR=value' - sets and exports for use, a variable

n1. 'export MUSIC=/home/linuxcbt/music'

o. 'history' - dumps the current SHELL's history

Note: '!item_num' executes the command with the number in the shell's history

p. 'alias ls='ls -ali' ' - allows you to make shortcuts to commands and options

Command Chaining:

'ls ; pwd ; echo "test" ' - commands are independent

'ls && pwd && echo "test" ' - logical ANDing - previous command MUST exit with exit status '0'

'ls || pwd' - command 2 executes if command 1 fails

Note: You may combine and and/or ALL of these features in a single command

q. 'more | less' - 2 common pagers - displays a page full of info.

r. 'which' - searches the $PATH for the command you are in search of

###Redirection###

Features:

1. Input - STDIN - Standard Input - /dev/fd/0 - keyboard (may also be a file)

2. Output - STDOUT - Standard Output - /dev/fd/1 - screen (may also be a file)

3. Errors - STDERR - Standard Error - /dev/fd/2 - error handling

Tasks:

1. Look at STDIN

a. &#39;<&#39; - explicit indication

Note: When typical STDIN is ommitted, the process usually waits on STDIN for input (keyboard)

Note: &#39;CTRL-D will exit STDIN stream&#39;

Note: STDIN is typically implicitly referenced by most processes

b. &#39;>&#39; - explicit indication

Note: Typically routes to a file or the screen (STDOUT)

b1. &#39;cat test.txt test2.txt > test3.txt&#39; - clobber mode (auto-clobbers file or creates anew)

c. &#39;>>&#39; - append redirection - appends to existing file or creates a new file

c1. &#39;cat test.txt test2.txt >> test3.txt&#39;

d. &#39;STDERR&#39; - &#39;2> errors.txt&#39;

d1. &#39;ls -l badfile&#39; - dumps STDERR on STDOUT

d2. &#39;ls -l badfile 2> errors.txt&#39; - clobbers and creates errors.txt

d3. &#39;ls -l badfile 2>> errors.txt&#39; - appends errors to errors.txt

s. watch - executes and updates the output display of the process

t. tty - echoes the current TTY

Note: GUI Managers spawn Psuedo-terminals: pts0..n

Note: Each pty has a distinct mapping of: fd0(STDIN), fd1(STDOUT), fd2(STDERR), auto-generated by the environment

u. head (dispalys first n lines of file) & tail (dispalys last n lines)

u1. &#39;head -n 1&#39;, &#39;tail -n 1&#39; - both display first and last lines

v. file - returns a file&#39;s type

v1. &#39;file filename&#39; - returns types

w. seq - generates a sequence of numbers

w1. &#39;seq 1000&#39;

x. for - looping mechanism

x1. &#39; for i in `seq 10`; do echo "Hello World"; done &#39;

x2. &#39; for i in `ls -A`; do file $i; done &#39;

y. reset - resets the buffer of the terminal so you may keep track of your activities

z. free - reveals memory usage

###Tar, Gzip, Bzip2, Zip###

Features:

1. Archiving

2. Compression

Gzip:

1. &#39; gzip -c filename > filename.gz &#39;

a. &#39;seq 1000000 > 1million.txt && ls -lh 1mil*&#39;

b. &#39;gzip -c 1million.txt > 1milliong.txt.gz&#39;

b1. &#39;zcat 1million.txt.gz&#39; - read the binary gzip format and render ASCII text

c. &#39;gunzip 1million.txt.gz &#39;

d. &#39;gzip -l 1million.txt.gz&#39; - enumerates stats of file

2. Bzip2

a. &#39;bzip2 -c 1million.txt > 1million.txt.bz2 &#39; - creates compressed file

b. &#39;bunzip2 1million.txt.bz2&#39;

c. &#39;bzcat 1million.txt.bz2&#39;

3. Zip & Unzip

a. &#39;zip 1million.txt.zip 1million.txt&#39; - dest source - creates a zip file

b. &#39;unzip 1million.txt.zip&#39; - decompresses

c. &#39;zip stuff.txt.zip *txt&#39; - squeezes ALL *txt files in current directory

d. &#39;unzip -l filename.zip&#39; - enumerates stats

e. &#39;zcat filename.zip&#39; - extract on the fly and dump to STDOUT

Note: &#39;zcat&#39; applies to both: zip & gzip

4. Tar - archiver - rolls one or more files (including directories) into one image

a. &#39;tar -cvf alltxtfiles.tar *txt&#39; - roll ALL txt files into &#39;alltxtfiles.tar&#39;

b. &#39;tar -tvf alltxtfiles.tar&#39; - enumerates the contents of the tarball

c. &#39;tar -xvf alltxtfiles.tar&#39; - extracts the contents of the tarball

d. &#39;tar -xvf alltxtfiles.tar 1000.txt 100k.txt&#39; - extracts specific files from the archive

e. &#39;tar -czvf alltxtfiles.tar.gz *txt&#39; - rolls a tarball with gzip compression

f. &#39;tar -cjvf alltxtfiles.tar.bz2 *txt&#39; - rolls a tarball with bzip2 compression

###GREP###

Features:

1. Line processor

Tasks:

1. Use grep to search for interesting strings

a. &#39;grep cat animals.txt&#39; - returns ALL lines containing lowercase &#39;cat&#39;

b. &#39;grep -i cat animals.txt&#39; - returns ALL lines containing either case of &#39;cat&#39;

c. &#39;grep 20 animals.txt&#39;

d. &#39;grep "^20" animals.txt - returns lines that are anchored with the string: &#39;20&#39;

e. &#39;grep "20$" animals.txt - returns lines that end with the string: &#39;20&#39;

f. &#39;grep "^20$" animals.txt - returns lines beginning and ending with the string: &#39;20&#39;

g. &#39;grep "^c.*" animals.txt - returns lines beginning with &#39;c&#39;

h. &#39;grep "^[c|d]" animals.txt - returns lines beginning with &#39;c&#39; OR &#39;d&#39;

i. &#39;grep -v "kernel" /var/log/messages&#39; - returns lines that do NOT contain &#39;kernel&#39;

j. &#39;grep -C 2 &#39;dog&#39; animals.txt&#39; - returns 2 lines above and below matched line

j1. &#39;grep -C 2 &#39;ostrich&#39; animals.txt > animals.reduced.list.txt

###AWK###

Features:

1. Field processor

2. Tokenizes lines into fields and returns them for usage

3. Matches patterns using Regular Expressions - POSIX - GREP - EGREP

Tasks:

1. Use Awk to parse fields

a. &#39; awk &#39;{ print $1 }&#39; animals.txt &#39; - prints field #1 using whitespace delimiters

b. &#39; awk &#39;{ print $0 }&#39; animals.txt&#39; - prints the entire line

c. &#39;awk -F, &#39;{ print $1 }&#39; - prints field #1 from STDIN

d. &#39;awk -F "[,- ]" &#39;{print $2}&#39; - prints field #2 using 3 delimiters

e. &#39; awk &#39;/dog/ { print $0 }&#39; animals.txt &#39; - matches lines with &#39;dog&#39; and prints the full line

f. &#39; awk -f "[,-; ]" &#39;/dog/ { print $0 }&#39; animals.txt - matches lines with dog with multiple delimiters

g. &#39; awk &#39;/dog[gy]/ {print $0}&#39; animals.txt - match lines with &#39;dog&#39; followed by &#39;y&#39; or &#39;g&#39;

h. &#39; awk &#39;{ if ($2 ~ /20/) print $0 }&#39; animals.txt &#39;

i. awk &#39;{ if ($5 ~ /kernel/) print $0 }&#39; messages - matches lines where field $5 = &#39;kernel&#39;

###Sed - Stream Editor###

Features:

1. Manipulate Streams of Text

2. Support for regular expressions

3. Command-line

4. Scriptable

Tasks:

1. &#39; sed -n &#39;1p&#39; animals.txt &#39; - prints the first line

2. &#39;sed -n &#39;$p&#39; animals.txt &#39; - prints the last line

3. &#39;sed -n 4,9p animals.txt &#39; - prints lines 4-9

4. &#39;sed -n 10,12p animals.txt &#39; - prints lines 10-12

5. &#39;sed -n -e &#39;/^$/d&#39; animals.txt &#39; - deletes blank lines

6. &#39;sed -n &#39;1,2p&#39; animals.txt &#39;

7. &#39;sed -n &#39;1!p&#39; animals.txt &#39; - prints all but line #1

8. &#39;sed -n &#39;1,3!p&#39; animals.txt - prints all but lines 1-3

9. &#39;sed -n -e &#39;s/cat/BIGCAT/p&#39; animals.txt &#39; - replaces &#39;cat&#39; with &#39;BIGCAT&#39;

10. &#39;sed -n -e &#39;s/^cat$/BIGCAT/p&#39; animals.txt&#39; - replaces lines that begin and end with &#39;cat&#39;

11. &#39;sed -n -e &#39;s/\(.*\)\(;\)\(.*\)/\1\2\3/p&#39; animals.txt - tokenizes matches into usable variables

12. &#39;sed -n -e &#39;s/;/ /p&#39; animals.txt &#39; - replaces &#39;;&#39; with space

13. &#39;sed -n -e &#39;s/[,-;]/ /p&#39; animals.txt &#39; - replaces &#39;;,-&#39; with space

14. &#39;sed -e &#39;s/[,-;]/ /p&#39; animals.txt &#39; - replaces &#39;;,-&#39; with space and prints the full doc to STDOUT

15. &#39;sed -e &#39;/^$/d&#39; animals2.txt &#39; - removes whitespace, dumps to STDOUT

16. &#39;sed -i.bak -e &#39;/^$/d&#39; animals2.txt&#39; - removes whitespaces inline and backs-up original file

###Perl ###

Features:

1. Everything

Tasks:

1. Basic RegEx Usage

a. Ensure that the correct number of arguments are supplied

Note: The execution type governs parameter placement

i.e. &#39;perltest1.pl &#39; - ARGV[0] -> first parameter

i.e. &#39;/usr/bin/perl perltest1.pl &#39; - ARGV[1] -> first parameter

###System Utilities###

Features:

1. Administration tools for system performance

1. &#39;runlevel&#39; - reveals the current/previous runlevel

2. &#39;uptime&#39; - reveals system uptime, and usage over: 1, 5, 15 minutes

3. &#39;ps&#39; - enumerates a list of processes

a. &#39;ps&#39; - processes tied to a TTY

b. &#39;ps -ef&#39; - ALL processes

c. &#39;ps -aux&#39; - ALL processes, plus %MEM, %CPU, etc.

4. &#39;top&#39; - reveals - uptime, df, %MEM, %CPU, sorts, updated real-time, etc.

a. &#39;top&#39; - auto-refreshes every 3 sec.

b. &#39;top d5&#39; - auto-refreshes every 5 sec.

5. &#39;df&#39; - reveals current filesystem usage/allocation

a. &#39;df -h&#39;

6. &#39;mount&#39; - reveals current mounts with key details/allows you to mount/umount

###User & Group Management###

Features:

1. Facilitates provisioning and management of users/groups

Note: Debian users are indexed @ id: 1000

Note: Debian users default to a gid that matches the uid:

Tasks:

1. Correlate GUI management tool to applicable: /etc/ files

/etc/passwd: - general account information - world readable

linuxcbt:x:1000:1000:LinuxCBT User,Stamford Conn.,888-573-4943,,:/home/linuxcbt:/bin/bash

/etc/shadow: - passwords

linuxcbt:$1$7GePLICi$WdWcehUWvY1KNwCZI7VqH/:14672:0:99999:7:::

Fields:

1. login name

2. encrypted password

3. Days since Unix epoch(19700101), password was last changed

4. Days before password may be changed: 0 = no length required

5. Days after which password must be changed

6. Days after password expires that account is disabled

7. Days since Unix epoch that account is disabled

8. Reserved

2. Add a new user via the GUI

3. Add a new user via the shell

a. &#39;userdel -r dean&#39; - removes the user and $HOME/$MAIL spool directory

b. &#39;useradd -d /home/dean dean -g dean&#39;

###File Permissions - Symlinks###

Features:

1. Restrictions based on organizational policy - Discretionary Access Control (DAC)

2. Ability provide multiple views of content - Symlinks

File Permissions:

1. 10-bits - used to represent permissions in Linux | Unix

1 - leftmost - d (directory), - (file), c (character) (keyboard), b (block device) (storage), l (soft-link)

2-4 - Correlate to the owner

5-7 - Correlate to the group

8-10 - Correlate to the world (everyone)

b rw- rw- --- 1 root disk 8, 1 2010-03-02 09:55 /dev/sda1

Perms Octal: 660

Possible Permissions:

r = read = 4

w = write = 2

x = execute = 1

Total Permissions: 7

Umask: Governs default permissions assigned to various objects: files & directories

Files: rw-r--r-- = 644

Directories: rwxr-xr-x = 755

drwxr-xr-x 2 linuxcbt linuxcbt 4096 2010-03-03 10:38 temp

Default Umask: 0022

Total Possible Permissions: 0777 - 0022 = 0755 (directories)

Note: Files further restrict the default umask to 644

Permissions Utilities:

1. chown - change ownership of user and/or group fields

2. chmod = change the mode (octal)

3. chgrp = changes the group ownership field

Chown Usage:

&#39; chown dean 100.txt &#39; - changes ownership to user named &#39;dean&#39;

&#39; chown linuxcbt.users 100.txt&#39; - changes both: user & group fields

Chgrp Usage:

&#39; chgrp linuxcbt 100.txt&#39; - changes group ownership of file named: &#39;100.txt&#39;

Chmod Usage:

&#39; chmod 640 100.txt &#39; - denies world access

&#39; chmod 600 100.txt &#39; - denies world and group access

&#39; chmod 744 temp2/ &#39; - removes &#39;x&#39; perm from group and world

Symbolic permissions Notation:

1. &#39;chmod u+x temp2&#39; - enables &#39;x&#39; permission on directory &#39;temp2&#39; - owner

2. &#39;chmod g+x temp2&#39; - influences group field

3. &#39;chmod o+x temp2&#39; - influences other field

SETUID - Changes execute permissions on a file to that of the owner

i.e. &#39;/usr/bin/passwd&#39;

Octal: 4755 - leading &#39;4&#39;

-rwsr-xr-x 1 root root 31704 2009-11-14 09:41 /usr/bin/passwd

&#39;find /usr/bin -4755&#39; - find SETUID objects

SETGID - Causes files to inherit group permissions from top-level container

&#39;chmod 2755 directory_name&#39;

&#39;chmod g+s directory_name&#39;

&#39;mkdir /project&#39;

&#39;chown root.users /project&#39;

&#39;chmod 2755 /project&#39;

STICKY BIT - &#39;t&#39; in the world field - ensures users may share a common directory: &#39;/tmp&#39;

###Symbolic Links###

Features:

1. Create shortcuts to objects on the file system

2. Support for 2-types of symlinks: soft (file containers) & hard (inodes)

3. Soft-links support directories

4. Hard-links do NOT support directories

5. Soft-links may traverse file systems, hard-links may not - due to inodes

6. Removal of soft-links will not remove the source content

7. Removal of the only hard-link, removes the file for good

8. Soft-links are of file type: &#39;l&#39;

Usage:

1. &#39;ln -s source target&#39;

a. &#39;ln -s ../perltest1.pl .&#39; - creates a soft-link of the same name as the source

Note: Soft-links depend heavily/entirely upon the filename container of the source file

b. &#39;ln -s /etc .&#39; - creates a soft-link to /etc

2. Hard Links - omitt the &#39;s&#39; option

a. &#39;ln ../perltest1.pl&#39; - creates a hard-link, upping the reference count

b. &#39;ln perltest1.pl newhardperltest1.pl&#39; - creates a hard-link with alternate name

Note: Hard-links always reference the same inode using the same and/or alternate names

Note: Soft-links are assigned distinct inodes, which ultimately reference the source file&#39;s name

c. Create hard-links with different permissions

c1. &#39;ln /home/linuxcbt/Debian_5x/perltest1.pl && chmod 644 perltest1.pl&#39;

###Partitions & File Systems###

Features:

1. Provisioning of storage

Task:

1. Provision storage for project users to be mounted @: /project

a. GParted - used to create partition and allocation FS

b. mount the newly-created file system

b1. &#39;mount /dev/sdb1 /project&#39; - mounts /dev/sdb1 @ /project

Note: If data exist at the mount point, they will not be available post-mount

Note: Move data pre-mount

c. Ensure that mount is available at system restart: /etc/fstab

c1. &#39;mount -a&#39; - auto-mounts entries in: /etc/fstab

2. Provision storage manually

a. fdisk

a1. &#39;fdisk /dev/sdc&#39; - manages &#39;/dev/sdc&#39;

a2. &#39;n - p - 1 - +4096M&#39; - creates a new, primary partition #1 of size: 4GB

a3. &#39;p - w&#39; - print table, and write changes to the disk

b. FS overlay

b1. &#39;mkfs.ext3 /dev/sdc1&#39; - creates an ext3 FS on: /dev/sdc1

c. Mount FS

c1. &#39;mount /dev/sdc1 /project4G&#39; - mounts partition to: /project4G

Note: You may mount the sambe block of storage more than once: /project & /project4G

Note: This allows you to apply top-level directory container permissions individually

3. Provision: ext4 storage manually

a. fdisk

b. FS overlay

c. mount and update: /etc/fstab

###Provision of Swap Space###

Features:

1. Additional memory for processes

2. Managed by the kernel, dynamically

3. Can be allocated dynamically

4. Can be allocated as a file and/or partition (preferred)

Tasks:

1. Allocate swap with GUI

a. Allocate

b. enable - &#39;swapon /dev/sdd1&#39; - enables swapping for the current uptime

c. &#39;swapon -s&#39; - lists swap devices (partitions and/or files) - shows distribution of swap

Note: &#39;free &#39; simply shows the total swap and usage

d. &#39;swapon -a&#39; - enables swap from /etc/fstab

e. Update: /etc/fstab to apply swap storage upon reboot

f. &#39;swapoff /dev/sdd1&#39; - disables swapping on device (partition or file)

2. Allocate swap from the shell - using fdisk

a. &#39;fdisk /dev/sdd&#39;

b. create swap partition - change type to &#39;linux swap&#39;

c. &#39;mkswap /dev/sdd2&#39; - creates swap file system on /dev/sdd2

d. &#39;swapon /dev/sdd2 && free -m&#39; - makes swap available to kernel and dumps mem usage

Note: &#39;fdisk&#39; will sometimes fail to update the partition table if the disk is in use

3. Allocate swap from a file

a. &#39;dd if=/dev/zero of=/project/swapfile bs=1024 count=524288&#39; = generates .5G file with zeroes

b. &#39;mkswap /project/swapfile&#39; - makes file usable for swapping

c. &#39;swapon /project/swapfile&#39; - enables swapping

d. &#39;swapoff -a&#39; - disables all swapping for entries listed in: /etc/fstab

###Logical Volume Management (LVM)###

Features:

1. Aggregates storage

2. Storage of disparate types: i.e. SATA, PATA, SCSI, FireWire, Fibre Channel, et cetera

3. Volume sets & stripe sets

4. Extendable, resizable

LVM Concepts:

Storage Hierarchy:

Logical Volume (FS goes here)

-Volume Groups (Aggregate Physical LVM Volumes)

-Physical Volumes (i.e. /dev/sdd3, /dev/sdd4, etc.)

Tasks:

1. Create an LVM volume based on 2 partitions

a. create 2 LVM paritions using fdisk - type = 8e(LVM)

b. create PVs - &#39;pvcreate /dev/sdd3 /dev/sdd5&#39;

c. create VG - &#39;vgcreate volgroup001 /dev/sdd3 /dev/sdd5&#39; - allocates PVs to VG

d. create LV - &#39;lvcreate -L 2.5GB volgroup001&#39; - creates 2.5GB LV

e. overlay FS on LV - &#39;mkfs.ext3 /dev/volgroup001/lvol0&#39;

f. Test volume accessibility and update: /etc/fstab

2. Explore &#39;*scan&#39; utilities

a. &#39;pvscan&#39; - enumerates physical volumes

b. &#39;vgscan&#39; - enumerates volume groups

c. &#39;lvscan&#39; - enumerates logical volumes

d. &#39;lvrename name_of_volume_group old_logical_name new_logical_name&#39; && &#39;lvdisplay&#39; || &#39;lvscan&#39;

d1. &#39;lvrename volgroup001 lvol0 logvol0 &#39; - renames logical volume immediately

Note: If the logical volume and/or volume group name changes, update: /etc/fstab

Note: &#39;umount&#39; if necessary prior to &#39;mount -a&#39;

3. Add new storage to LVM

a. &#39;fdisk /dev/sdd&#39; - allocate more storage of LVM partition

b. &#39;pvcreate /dev/sdd6&#39; - allocate partition for LVM

c. &#39;vgextend volgroup001 /dev/sdd6&#39;

d. &#39;lvextend /dev/volgroup001/logvol0 -L +1G&#39; - extends the logical volume by 1G

e. &#39;resize2fs device newsize&#39;

e1. &#39;resize2fs /dev/volgroup001/logvol0 3G&#39; - online resizing (ext3 only)

&#39;

Note: Caveat: online shrinking is not supported. Shrink offline by dismounting &#39;umount&#39; the volume

###Package Management###

Features:

1. Provision/maintain packages

2. Multiple tools: apt-*, dpkg, aptitude, GUI

Tasks:

1. Explore GUI - &#39;Synaptic&#39; - front-end to: &#39;apt-get&#39;

2. Explore &#39;dpkg&#39;

a. &#39;dpkg -l&#39; - enumerates all packages

b. &#39;dpkg -L openssh-client&#39; - enumerates contents of package

c. &#39;dpkg -S /usr/bin/scp&#39; - returns package membership of: /usr/bin/scp

d. &#39;dpkg -i package_name.deb - FS&#39; - installs the .deb file from the file system

e. &#39;dpkg -r package_name in DB&#39; - removes the package

3. Explore &#39;aptitude&#39;

Features:

1. Interactive

2. Non-interactive

Tasks:

1. Non-interactive usage of &#39;aptitude&#39;

a. &#39;aptitude search ssh&#39; - returns installed/non-installed matches from DB

Note: The package DB is built by the indexed sources: /etc/apt/sources.list

b. &#39;aptitude install tofrodos&#39; - queries the DB for source location and installs (prompts if media is missing)

c. &#39;aptitude remove tofrodos&#39; - removes package named: &#39;tofrodos.*&#39;

d. &#39;aptitude&#39; - runs interactive

d1. &#39;search for package and toggle &#39;+&#39; to mark for installation

Note: A &#39;task&#39; can consist of contradictory actions: install, remove, etc.

###RunLevels###

Features:

1. Ability to control system in a variety of modes

2. Profiles for services/daemons

BIOS -> GRUB -> INITRD/KERNEL -> INIT (PID=1) -> RUNLEVELS

Default Runlevel = 2: /etc/inittab

Note: Usually, multi-user runlevels are cumulative: i.e. runlevel 2 includes daemons from runlevel 1

RunLevels 0-6, 7-9(optional, seldom-used):

0 - shut down - power-off, if ACPI support or similar

1 - single user - multi-user support is disabled - networking is disabled

2 - default, multi-user mode - for Debian

3 - typical default, multi-user mode, for most distribution - identical to 2

4 - unused - identical to 2

5 - unused - identical to 2

6 - reboot - shuts services/daemons and resets the system, soft-restart

/etc/init.d - container of ALL system daemons - implemented as shell scripts

/etc/rc* - run-control directories for the various runlevels

- Scripts begin with: &#39;K&#39; (Kill) or &#39;S&#39; (Start)

- Scripts also include numeric identifier used for sorting: ascending

Note: /etc/rc* - are containers of: K and S scripts that are symlinked to: /etc/init.d

Note: Default runlevel = 2, however, runlevels 2-5 are identical

Note: Enter programs that MUST run with each invocation into: /etc/rc.local

Note: INIT scripts are called with prefixes of: &#39;S&#39; or &#39;K&#39;

Note: &#39;S&#39; prefix causes the process to start

Note: &#39;K&#39; prefix causes the process to stop

###Job Scheduler - Cron###

Features:

1. Job Scheduler

2. Per-user execution - /var/spool/cron/crontabs/$USER

3. System-wide execution - /etc/crontab

4. Flexibility: minute, hour, days of the month i.e. (24-28), months i.e. (9-12)

5. Cron awakes every minute, and queries for changes in schedules

6. Cron mails the owner of the job, the STDOUT of the job, if an error

Tasks:

1. &#39;dpkg -L cron&#39;

2. Define a per-user crontab entry: user=linuxcbt

a. &#39;crontab -e&#39; - launches default editor and allows us to setup job in: /var/spool/cron/crontabs/$USER

b. &#39;crontab -l&#39; - enumerates user&#39;s cron table

3. As &#39;root&#39; manipulate &#39;linuxcbt&#39;s&#39; crontab entries

4. Evaluate system-wide crontab: /etc/crontab

Note: &#39;run-parts&#39; executes ALL executable scripts in a directory

Note: /etc/crontab contains a field to indicate the user with which the process is to execute

/etc/anacrontab - contains schedule of missed cron items to be executed

/etc/cron.allow - if exists, account name must exist in it, in order to use cron

/etc/cron.deny - if exists, account name must NOT exist in it, in order to use cron

###Syslog - rsyslogd - rsyslog###

Features:

1. Logging via Unix domain sockets

2. Logging via TCP/IP: UDP:514 || TCP:514

3. Facilities and Levels control routing of log entries

4. Derived from &#39;sysklogd&#39;

5. Auto-creates directories defined in: /etc/rsyslog.conf, unlike traditional Syslog

Primary Config File: /etc/rsyslog.conf

Tasks:

1. Explore: /etc/rsyslog.conf

Note: UDP:614, TCP:514 are both disabled by default: Enable via: /etc/rsyslog.conf

Note: Log files are flagged: 0640 by default, and permissions: root:adm

Note: Facilities & Levels are indicated using the following nomenclature:

facility.level -> Target

auth.* /var/log/auth.log - captures &#39;auth&#39; facility at ALL levels and routes to file

*.* - captures ALL facilities at ALL levels

2. Route Cisco Router Traffic to rsyslogd

a. Determine the facility and level to use

a1. &#39;local4.info&#39;

b. Configure rsyslog to accept Cisco router traffic at: local4.info

b1. &#39;local4.* /var/log/cisco/ciscorouter.log&#39;

c. Enable rsyslog UDP listener and restart rsyslog

d. Exclude Cisco local4.* records from catch-all rules except debug: /var/log/syslog

3. Forward a copy of local4.* to remote RedHat box: 192.168.75.11

a. server: /etc/syslog.conf - &#39;local4.* /var/log/cisco/ciscorouter.log&#39;

b. client: /etc/rsyslog.conf - &#39;local4.* /var/log/cisco/ciscorouter.log,@192.168.75.11&#39;

Note: RedHat default Syslog doesn&#39;t create directories. However, catch-all rule captures local4.* traffic

c. Update: /etc/hosts and: /etc/rsyslog.conf to use hostname

###Syslog-NG###

Features:

1. All provided by Syslog: facilities.levels

2. Filtration of content

Tasks:

1. Install syslog-ng

Note: Removes &#39;rsyslog&#39; by default

2. Explore Syslog-NG configuration

Note: a. Syslog-NG requires 3-components per configuration

Source - required - Unix Domain Sockets, UDP, etc.

1. Filter - includes facilities.levels

2. Destination - file, other syslog hosts, console, etc.

3. Log - sends source, filters to destination

filter f_local { facility(local4); };

destination d_cisco { file("/var/log/cisco/ciscorouter.log"); };

log { source(s_all); filter(f_local); destination(d_cisco); };

Note: &#39;invoke-rc.d&#39; - equivalent to: &#39;service&#39; in RedHat, or &#39;rc&#39; prefix in SuSE Linux

4. Extend destination to route to UDP target

destination d_cisco { file("/var/log/cisco/ciscorouter.log"); udp("192.168.75.11"); };

5. Filter traffic from Cisco Router & PIX Firewall, using the same facility, to different files:

###Cisco Router Block - based on LOCAL4##

filter f_cisco_router { facility(local4) and match("192.168.75.1"); };

destination d_cisco_router { file("/var/log/cisco/ciscorouter.log"); };

log { source(s_all); filter(f_cisco_router); destination(d_cisco_router); };

###Cisco Firewall Block - based on LOCAL4##

filter f_cisco_firewall { facility(local4) and match("192.168.75.2"); };

destination d_cisco_firewall { file("/var/log/cisco/ciscofirewall.log"); };

log { source(s_all); filter(f_cisco_firewall); destination(d_cisco_firewall); };

###Log Rotation###

Features:

1. Auto-rotation of logs based on defined criteria: (size|time)

2. Compression

3. Multiple criteria

4. Supports forced rotations, overriding criteria

Tasks:

1. Explore &#39;logrotate&#39; package

/etc/logrotate.d - monitored directory (Default)

/etc/logrotate.conf - primary config file - contains sensible defaults

Note: If a log file does NOT have a more specific logrotate file, the global file directives apply

/etc/cron.daily/logrotate - executes daily

Note: Logrotate will rotate any log file regardless of the source generator

2. Define Cisco log rotation rules in: /etc/logrotate.d/syslog-ng

Note: We reference the: /etc/logrotate.d/syslog-ng file because syslog-ng governs the logging of messages received from the cisco devices

Note: However, you may place your directives in ANY of the included log files

a. &#39;logrotate -v -d /etc/logrotate.conf&#39; - rotate simulation

###Common Network Utilities###

Features:

1. Find other hosts - PING

2. Check service availability | ability - Telnet

3. Network statistics - netstat

4. Interface configuration - ifconfig

5. Path to remote systems - traceroute, tracepath

6. Name resolutions - nslookup , dig, host, whois

Tasks:

1. Packet Internet Network Groper (PING) - Diagnostics Utility

a. &#39;ping hostname&#39; - sends an unlimited number of packets, by default

a1. &#39;ping -c 3 hostname&#39; - sends 3 packets to remote host

Note: PING generates ICMP echo-requests and expects ICMP echo-replies from the target

2. Telnet - tests availability of remote ports | also provides TTYs

a. &#39;telnet 192.168.75.1 80&#39; - checks connectivity to TCP:80

Note: You may test ports: 0-65535 || 2^16

3. Netstat

a. &#39;netstat -a&#39; - returns ALL sockets: UDP:TCP:Unix

b. &#39;netstat -nulp&#39; - reveals UDP listeners sans name resolution, but with programs/PIDs

c. &#39;netstat -ntlp&#39; - "" TCP ""

d. &#39;netstat -i&#39; - dumps active interfaces

e. &#39;netstat -rn&#39; - dumps routing table

4. Address Resolution Protocol (ARP) - translates between layer2 & layer3 addresses

Note: Every NIC contains a unique layer-2 MAC address

a. &#39;arp&#39; - dumps the ARP table

b. &#39;arp -n&#39; - excludes name resolution

c. &#39;arp -d IP&#39; - deletes entry from ARP table

Note: Arp will use the entry for your gateway when communicating with routed hosts

5. Traceroute - traces path between client & server || host-A & host-B

Supports multiple methods: ICMP, UDP, TCP

Uses ICMP TTL to determine number of hops between source and destination

Note: Initial ICMP TTL = 1 - for your default gateway

Note: After discerning default GW, traceroute increments ICMP TTL to 2.

Note: Default method is to use UDP:33434 & increment per hop found

Note: However, default method isn&#39;t always fruitful. Try other methods: ICMP, TCP

a. &#39;traceroute 192.168.75.1&#39; - default route

b. &#39;traceroute www.linuxcbt.com&#39;

ICMP TTL HOST Probe1 Probe2 Probe3

1 192.168.75.1 (192.168.75.1) 0.643 ms 0.471 ms 0.547 ms

2 bras11-l0.mrdnct.sbcglobal.net (204.60.4.47) 12.760 ms 14.205 ms 16.387 ms

c. &#39;tracepath www.linuxcbt.com&#39; - returns route and MTUs if possible

Nslookup - Non-interactive | Interactive - searches default DNS servers: /etc/resolv.conf

1. &#39;nslookup www.linuxcbt.com&#39; - non-interactive query

2. &#39;nslookup&#39; - enters interactive mode

DIG - non-interactive

1. &#39;dig www.linuxcbt.com&#39;

2. &#39;dig linuxcbt.com mx | ns&#39; - returns mx | ns records respectively

3. &#39; dig -x IP &#39; - reverses the query and returns the PTR record

Host - non-interactive

1. &#39;host www.linuxcbt.com&#39; - returns forward IP address

2. &#39;host -C linuxcbt.com&#39; returns SOA records

Whois - Searches for various objects: IPs, domains, etc.

1. &#39;whois linuxcbt.com&#39;

###IPv4 Configurations###

Features:

1. Interface Configuration - &#39;ifconfig&#39;

2. DHCP and/or Static Configuration support

3. Virtual (sub) interfaces - IPv4 aliases

4. Displays important metadata for various OSI layers, errors, diagnostics, etc.

Tasks:

1. &#39;ifconfig&#39; - dumps current configuration of active interfaces

Note: You should ALWAYS see the &#39;loopback&#39; interface

Note: &#39;gnome-nettool&#39; - provides ifconfig info., as well as various utilities

2. Use &#39;ifconfig&#39; to define a new IPv4 sub-interface of: eth0

a. &#39;ifconifg eth0:1 192.168.75.31&#39; - temporarily assigns the address for the uptime of the box

Note: Sub-interfaces allow applications, i.e. Apache, to bind services to them

3. Restart &#39;networking&#39; service and confirm interface availability

Note: temporary sub-interface survives restart of &#39;networking&#39; service, but NOT stop|start

4. Ensure that sub-interface persists reboots

a. &#39;/etc/network/interfaces&#39; - primary interface configuration file

&#39;ping -I 192.168.75.32 ping 192.168.75.31&#39;

5. Explore ALL interfaces:

a. &#39;ifconfig -a&#39; - enumerates ALL active | non-active interfaces

6. Remove interfaces:

a. &#39;ifconfig del eth0:1 192.168.75.31&#39; - removes for the session: eth0:1

b. &#39;ifconfig del eth0:2 192.168.75.32&#39; - removes for the session: eth0:2

###IPv6 Configuration###

Features:

1. Self-configuring

2. Based on 128-bit addresses, vs. 32-bit address space for: IPv4 approx. 4billion addresses

3. Enabled by default

4. Typically configured via router

5. Incorporates the MAC address of the connecting NIC

Note: MAC addresses use 48-bits

6. IPv6 addresses are subnetted with /64, which means: /64 for nets & /64 for hosts

Tasks:

1. Explore ifconfig configuration

inet6 addr: ::1/128 Scope:Host - loopback configuration

&#39;ifconfig&#39;

eth0 Link encap:Ethernet HWaddr 00:0c:29:4d:e5:2c

inet addr:192.168.75.30 Bcast:192.168.75.255 Mask:255.255.255.0

inet6 addr: 2002:4687:db25:2:20c:29ff:fe4d:e52c/64 Scope:Global

inet6 addr: fe80::20c:29ff:fe4d:e52c/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:2269277 errors:0 dropped:0 overruns:0 frame:0

TX packets:2204154 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:159602581 (152.2 MiB) TX bytes:1029103297 (981.4 MiB)

Interrupt:18 Base address:0x1400

Note: Routable IPv6 interfaces define by default a link-local address that is routable on the layer-2 broadcast domain (VLAN)

Note: Routable IPv6 interfaces will also auto-configure IPv6 addresses from edge devices: routers, firewalls, layer-3 switches

inet6 addr: fe80::20c:29ff:fe4d:e52c/64 Scope:Link

Note: IPv6 safely ignores leading zeroes

6-to-4 Address configured on router and distributed automatically:

6-to-4 Addresses include:

1. 2002 prefix - 48-bits

2. Embedded IPv4 routable address - 32-bits

3. MAC address of the host - 48-bits

inet6 addr: 2002:4687:db25:2:20c:29ff:fe4d:e52c/64 Scope:Global

Note: IPv6 address fully reveal your client&#39;s, or NIC&#39;s identity, as well as your IPv4 Internet presence if using 6-to-4 routing

Note: Edge devices, including DHCP6 servers, simply provide the IPv6 prefix. i.e. /64

###Trivial File Transfer Protocol###

Features:

1. Fast, connectionless (UDP-based) file transfers

2. Used primarily with network devices: routers, switches, firewalls, VOIP phones, PXE clients

3. PXE installations/booting support

4. Runs via INETD

Task:

1. Install &#39;atftpd&#39; & &#39;atftp&#39;

Note: Default installation sets-up: /etc/inetd.conf & invokes the service

Note: Default configuration binds to: UDP:69

Note: Default monitor directory: /var/lib/tftpboot

2. Backup Router configuration via ATFTPD

a. &#39;copy running-config tftp://192.168.75.30/ciscorouter.config&#39;

Note: ATFTPD auto-configures the appropriate permissions to facilitate writes to directory

b. Pull configuration from ATFTPD

b1. &#39;copy tftp://192.168.75.30/ciscorouter.config running-config&#39;

b2. &#39;wr mem&#39; - copies running-config startup-config - for persistence across reboots

3. Backup Firewall Configuration via ATFTPD

a. &#39;tftp-server inside 192.168.75.30 /pixfirewall.config&#39; - sets variable in PIX config

b. &#39;wr mem&#39; - saves configuration for persistence

c. &#39;wr net&#39; - dumps configuration to Net location

4. Connect from Linux TFTP client on RedHat box

a. install &#39;tftp&#39; client

b. &#39;tftp -v 192.168.75.30 -c get ciscorouter.config&#39; - get file from TFTP server

c. &#39;tftp -v 192.168.75.30 -c put scp*&#39; - put file to TFTP server

###File Transfer Protocol Daemon Service###

Features:

1. Supports authentication

2. Connection-oriented - TCP:21 - control channel, arbitrary TCP ports for data channels

3. Supports Passive and Active communications

a. Active = fixed port - TCP:20

b. Passive = dynamically allocated ports - TCP:55000 - 56000

Tasks:

1. Explore configuration

/etc/vsftpd.conf - primary config file

/etc/logrotate.d/vsftpd

/etc/init.d/vsftpd - standalone /etc/init.d runscript

Note: Post-installation, VSFTPD runs as an anonymous, IPv4 FTPD server

2. Enable Anonymous access

a. uncomment anonymous-related directives

3. Enable local users & chroot them

a. &#39;local_enable=YES&#39; - enables authenticated access

b. &#39;chroot_local_user=YES&#39; - forces chroot jail

###LFTP###

Features:

1. Sophisticated FTP client access

2. FTP, FTPS, SFTP, HTTP - multiple protocols

3. Content mirroring - forward (default/pull) and reverse (put)

4. Functions: interactively/non-interactively

5. Scriptable - batch-mode

6. Maintains command-history

7. Interactive environment is BASH-like

8. Supports tab-completion

Tasks:

1. Explore package contents

/usr/bin/lftp - key binary

/etc/lftp.conf - key global config

Note: &#39;set -a&#39; - produces the possible directives supported by LFTP

2. Upload/Download items

a. &#39;open -u linuxcbt localhost&#39; - connects to local FTPD

Note: This simply builds the connection string. The connection will not be used until a command that requires the connection is excuted. i.e. &#39;ls&#39;

Note: FTP Servers maintain control (credentials) and data (data transfers) connections

b. &#39;!bash&#39; - exits temporarily to the shell

3. Create a simple script to upload and download items

a. &#39;lftp -f lftpscript1.lftp&#39; - executes LFTP non-interactively, batch-mode

4. Download using HTTP

a. &#39;lftp http://192.168.75.50/RH54&#39; - allows you to explore HTTP server

5. Upload/Download using SSH

a. &#39;lftp -u linuxcbt sftp://192.168.75.50&#39;

6. Rate-limit

a. &#39;set net:limit-rate 500&#39; - limits transfers to 500Bps

7. Background/Foreground jobs

a. &#39;CTRL-Z&#39;

b. &#39;fg&#39; - brings the job to the foreground

c. &#39;jobs&#39; - enumerates current job status

8. Mirroring

a. &#39;mirror -v work/&#39; - mirrors &#39;work&#39; directory by pulling to client

b. &#39;mirror -v -R work/&#39; - mirrors &#39;work&#39; directory remotely by putting differences

Note: If you need to pull items non-interactively, consider: &#39;wget&#39; and/or &#39;curl&#39;

###TelnetD###

Features:

1. Virtual Terminal Access: vty

2. Clear-text based: not secure, but fast

3. May save you in the event that SSH is unavailable

Tasks:

1. Installation - installs via INETD and enables by default

2. Test connectivity

Note: Default Debian installation does NOT install SSHD, however, SSH client is installed

Note: Succesfull Telnet authentication will echo: /etc/motd

Note: Install telnetd, but disable in: /etc/inetd.conf untill needed

Note: INETD is managed via: /etc/init.d/openbsd-inetd

Note: INETD-spawned services/daemons remain open/running until sessions have been terminated

Note: TELNETD uses the same PTS, or, pseudo-terminal allocation as SSHD

Note: TELNETD supports SSL, however, client support is sparse. Use SSHD instead

Note: TELNETD is NOT a SECURETTY, and &#39;root&#39; may not use it by default

Note: SSHD shares the same pseudo-terminals, however, SSHD is inherently secure

###Dynamic Host Configuration Protocol (DHCP)###

Features:

1. Automatic client configuration

a. IP address

b. subnet mask

c. default gateway/router

d. WINS server(s)

e. NTP server(s)

f. PXE configuration

2. UDP-based

3. Broadcast-based

Tasks:

1. Disable DHCP on Cisco router

a. &#39;no ip dhcp pool DEFAULT75&#39;

2. Install DHCP Server

a. &#39;dpkg -L dhcp3-server&#39; - enumerates embedded files

/etc/dhcp3/dhcpd.conf - primary config file

/var/lib/dhcp3 - primary container for leases

3. Prep /etc/dhcp3/dhcpd.conf for production

# 192.168.75.x Definition

subnet 192.168.75.0 netmask 255.255.255.0 {

range 192.168.75.20 192.168.75.49;

# option domain-name-servers ns1.internal.example.org;

option domain-name "linuxcbt.internal";

option routers 192.168.75.1;

option broadcast-address 192.168.75.255;

# default-lease-time 600;

# max-lease-time 7200;

}

4. Route LOCAL7 via Syslog

5. Start DHCP server and test configuration

dhcpd.leases - primary lease file

Note: DHCP clients & servers participate in the: DORA process

Discover Offer Response Acknowledgement (DORA)

lease 192.168.75.20 {

starts 4 2010/03/18 14:47:57;

ends 5 2010/03/19 14:47:57;

cltt 4 2010/03/18 14:47:57;

binding state active;

next binding state free;

hardware ethernet 00:11:43:76:1f:67;

uid "\001\000\021Cv\037g";

client-hostname "linuxcbtwin3";

}

###BIND - DNS###

Features:

1. Name-to-IP resolution - forward DNS

2. IP-to-Name resolution - reverse DNS

Tasks:

1. Install BIND

/etc/bind/named.conf - primary config file

/usr/sbin/named - primary DNS server binary

2. Update DHCP to route clients to BIND instance

3. Default Caching-Only instance

4. Query the DNS server from multiple hosts

a. &#39;dig @192.168.75.30 www.linuxcbt.com&#39;

Note: Caching-only servers hold records for the TTL duration permitted by the authoritative name servers

Note: Initial query is usually slower (considerably), than subsequent queries

Note: DNS records may share or sport distinct TTLs

5. Setup Primary DNS - NS - Authoritative server for a zone

a. Use: /etc/bind/db.local as template

b. define &#39;linuxcbt.internal&#39;

c. Updated: /etc/bind/named.conf.local to reference the zone: &#39;linuxcbt.internal&#39;

d. Restart named

6. Perform queries against primary DNS server from various clients

Note: Primary DNS configuration does not disable caching-only configuration. It&#39;s cumulative

6. Setup Secondary DNS - NS - Authoritative server for a zone

a. Use: /etc/bind/db.linuxcbt.internal as template

zone "linuxcbt.internal" {

type slave;

file "slaves/linuxcbt.slave.internal.zone.db";

masters { 192.168.75.30; } ;

// put slave zones in the slaves/ directory so named can update them

};

7. Reverse DNS configuration - IPv4

a. Will use: &#39;*.in-addr.arpa&#39;

a1. &#39;75.168.192.in-addr.arpa&#39;

a2. &#39;cp db.127 db.192.168.75&#39; - copy template reverse file & include reverse records for NS servers

a3. update: /etc/bind/named.conf.local

zone "75.168.192.in-addr.arpa" {

type master;

file "/etc/bind/db.192.168.75";

};

a4. Restart & test with queries

a4.1 &#39;dig @192.168.75.30 -x 192.168.75.30&#39; - executes reverse query against specific DNS box

a5. Include more reverse records

a6. Replicate reverse IPv4 zone to secondary system

###Our Slave Zone for: 192.168.75.0/24###

zone "75.168.192.in-addr.arpa" {

type slave;

file "slaves/db.192.168.75.zone";

masters { 192.168.75.30; } ;

// put slave zones in the slaves/ directory so named can update them

};

8. Reverse zone for: IPv6

Note: Reverse IPv6 zone requires: reverse nibble notation

Note: A nibbile, is half a byte or 4-bits

2002:4687:db25:2:20c:29ff:fe4d:e52c/64

2 0 0 2 4 6 8 7...

a. Define a zone statement to handle the reverse IPv6 zone

Note: Split 128-bit address into 2-regions, subnet/host ID i.e. /64-based

Note: Reverse the bits of the network using nibble notation

Note: Be sure to expand all zeroes!

2002:4687:db25:2:

2002:4687:db25:0002

zone "2.0.0.0.5.2.b.d.7.8.6.4.2.0.0.2.ip6.arpa" {

type master;

file "db.2.0.0.0.5.2.b.d.7.8.6.4.2.0.0.2.ip6.arpa";

}

b. Define individual IPv6 reverse entries based on: right-most host ID

2002:4687:db25:2: 20c:29ff:fe4d:e52c/64 - linuxcbtdeb1

c.2.5.e.d.4.e.f.f.f.9.2.c.0.2.0 IN PTR linuxcbtdeb1.linuxcbt.internal.

d. Perform reverse queries

&#39;dig @192.168.75.30 -x 2002:4687:db25:2:20c:29ff:fe4d:e52c&#39;

e. Insert reverse IPv6 addresses for other hosts

2002:4687:db25:2:202:b3ff:feb8:a00

&#39;0.0.a.0.8.b.e.f.f.f.3.b.2.0.2.0 IN PTR linuxcbtsuse1.linuxcbt.internal.&#39;

2002:4687:db25:2:20c:29ff:fe75:3bf6

&#39; 6.f.b.3.5.7.e.f.f.f.9.2.c.0.2.0 IN PTR linuxcbtserv1.linuxcbt.internal.&#39;

f. Replicate configuration to RedHat server

###Samba###

Features:

1. Lan Manager/NETBIOS-like server for Linux | Unix -based systems

2. Publish shares

3. Publish printers

4. Authenticate to AD

Tasks:

1. Install Samba support

Note: Either client or server requires the &#39;samba-common&#39; package

Note: &#39;smb.conf&#39; is the primary config file with settings for: clients & servers

2. Explore key clients

a. /usr/bin/smbtree - functions akin to network neighborhood (enumerates SMB hosts) - Uses broadcast and WINS(if defined)

- Also returns workgroups, and shares

b. &#39;smbtree&#39;

/usr/bin/smbclient - permits connections to shares - interactively - FTP-like

Note: MacOSX also includes &#39;smbclient&#39;

c. &#39;smbclient -U dean //linuxcbtwin1/LinuxCBT&#39;

d. SMBGet - like &#39;wget&#39;

d1. &#39;smbget -u administrator smb://linuxcbtwin1/LinuxCBT/1million.txt&#39;

e. SMBTar - like &#39;smbget&#39; but rolls items into a tarball

e1. &#39;smbtar -s linuxcbtwin1 -x temp2 -p "abc123" -u dean -t linuxcbtwin1.backup.tar&#39;

3. Install Samba Server

a. Explore the configuration

Note: Samba is implemented primarily as 2 daemons:

1. &#39;smbd&#39; - server message block daemon - SMB/CIFS requests for file & print services

2. &#39;nmbd&#39; - name registrations - WINS connectivity

/etc/init.d/samba - INIT script for both daemons

/etc/samba - top-level container (directory) for Samba configuration files

/usr/sbin/nmbd - NETBIOS Name Daemon

/usr/sbin/smbd - SMB/CIFS - File & Print Server

/etc/samba/smb.conf - primary, monolithic config file, managed manually and/or by SWAT

Note: It is recommended that you select 1 method of: smb.conf management: SWAT or manual

Note: /var/log/samba/log.%m - each SMB/CIFS client spawns a distinct log file

b. Start Samba Server

b1. &#39;invoke-rc.d samba start&#39; - this starts &#39;smbd&#39; & &#39;nmbd&#39;

Note: &#39;smbd&#39; binds to TCP:139 for IPv4 & IPv6 for SMB service

Note: &#39;smbd&#39; ALSO binds to TCP:445 for IPv4 & IPv6 for CIFS services

Note: &#39;nmbd&#39; binds to UDP:137 & UDP:138 for NETBIOS Name support

Note: Samba dynamically generates $HOME shares for connecting clients

Note: These $HOME shares do NOT appear in &#39;smbtree&#39; dumps

###Samba Samba Web Administration Tool (SWAT)###

Features:

1. Web-GUI to manage Samba

/usr/sbin/swat - primary binary

Tasks:

1. Explore Interface

1a. http://localhost:901

1b. Documentation

1c. Globals - globals area of: smb.conf - global directives - NETBIOS Name, Network info, etc.

Note: SWAT, upon invocation, loads directives from: smb.conf

Note: SWAT presents 2 views:

1. Basic - reflects commonly-referenced, important, directives

2. Advanced - reflects ALL Samba-supported directives

2. Manage Users using &#39;smbpasswd&#39;

2a. &#39;smbpasswd -a linuxcbt&#39;

###NFS####

Features:

1. Transparent access to remote file systems

2. Ability to consolidate and centralize storage

3. Roaming users

Tasks:

1. Explore client package: &#39;nfs-common&#39;

1a. &#39;showmount linuxcbtdeb1&#39;

2. Install NFS-Kernel-Server

3. Export directories

3a. &#39;nano /etc/exports&#39; - include &#39;/public&#39; - read only

3b. &#39;showmount --all linuxcbtdeb1&#39; - reveals currently mounted systems and shares

3c. publish content: /public with various permissions for various hosts

&#39;nano /etc/exports&#39; - include updates

&#39;exportfs -r&#39; - re-exports items listed in: /etc/exports - removes old rule(s) and publishes new rules

Note: By default, &#39;root_squash&#39; is enabled on ALL NFS exports

Note: Root squashing equates the client &#39;root&#39; user to the server&#39;s &#39;nobody&#39; user

###File System in User Space (FUSE)###

Features:

1. Permits non-root users the ability to mount FSs into user-space

Tasks:

1. Install fuse-utils & fuseiso

1a. using Synaptic

2. Download ISO image

3. Use FUSE (fuseiso) to mount the image

3a. &#39;fuseiso -p filename.iso isotemp/&#39; - auto-creates &#39;isotemp/&#39; target and deletes it upon closing/unmounting

Note: FUSE mounts using i.e. &#39;fuseiso&#39; are viewable by the owner of the mount only, by default

Note: /etc/

Note: non-root users must be made members of: &#39;fuse&#39; group in order to use &#39;fuse&#39;

4. Install SSHD - so we may generate a new environment for the user to use &#39;fuse&#39;

Note: By default, event &#39;root&#39;, is unable to interact with FUSE-mounted virtual file systems mounted by other users

Note: http://fuse.sourceforge.net/ - explore other modules

Note: Underlying FS is ultimately responsible for DAC permissions

###Apache Web Server###

Features:

1. De facto standard HTTP server

2. Modular

3. Supports IPv6 (implies IPv4) by default

Tasks:

1. Confirm installation/explore packages

/etc/apache2 - top-level, configuration file container

/etc/apache2/conf.d - top-level configuration script container

/etc/apache2/conf.d/apache2-doc - documentation config directives

/etc/apache2/httpd.conf - primary configuration file - all other config files are called from: httpd.conf, however, in Debian, the file is: apache2.conf

###Aliases re-route user requests from web-space to file-system space###

Alias /manual /usr/share/doc/apache2-doc/manual/

<Directory "/usr/share/doc/apache2-doc/manual/">

Options Indexes FollowSymlinks

AllowOverride None /* Ensures that .htaccess directives do NOT apply */

Order allow,deny

Allow from all

AddDefaultCharset off

</Directory>

ports.conf - contains IP binding information

Note: Apache is started as &#39;root&#39; and then subsequent processes (children) run as non-privileged user

ErrorLog /var/log/apache2/error.log - global error log. Applies to ALL virtual hosts if undefined at the virtual host level

Note: Apache directives flow top-down. If a directive is undefined at the virtual host level, the default host (apache2.conf|httpd.conf) directive(s) will apply

Modules:

1. &#39;mods-available&#39; - repository of *.conf & *.load items

2. &#39;mods-enabled&#39; - symlinked items to &#39;mods-available&#39;

Note: *.load files contain &#39;LoadModule&#39; statements to load the *.so file

1. &#39;sites-available&#39; - repository of sites (virtual hosts)

2. &#39;sites-enabled&#39; - symlinks to &#39;sites-available&#39;

/etc/apache2/sites-available/default:

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ - /* Like alias, but permits CGI script execution */

Alias /doc/ "/usr/share/doc/" - /* permits HTTP access to system documentation */

Note: Trailing &#39;/&#39; MUST be preserved by connecting client

###Apache Logs###

Features:

1. Extracts from client-server communications

Tasks:

1. Explore the default log configuration

/etc/apache2/apache2.conf - contains the default formats

Note: Apache supports 2 types of logs:

1. Error log (error.log) - traps errors from: debug - emergency - bad messages

2. Access log (access.log) - traps connection messages for content - good messages

Both files are located in: /var/log/apache2

/etc/apache2/apache2.conf

Syntax: LogFormat One_or_more_vars nickname/alias

LogFormat "%v:%p %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

LogFormat "%h %l %u %t \"%r\" %>s %b" common

LogFormat "%{Referer}i -> %U" referer

LogFormat "%{User-agent}i" agent

#

# Define an access log for VirtualHosts that don&#39;t define their own logfile

CustomLog /var/log/apache2/other_vhosts_access.log vhost_combined

LogFormat Vars:

%v - name of the virtual host that created the log entry

%p - port of the virtual host

%h - connecting host&#39;s IP address, by default

%l - ident check, note: usually non-existent &#39;-&#39;

%u - connecting user name - will be present wherever authentication is used. i.e. Basic, digest, etc.

%t - timestamp of the connection, from the server&#39;s perspective

%r - request method - i.e. GET/POST/etc.

%s - status code returned to client - i.e. 200(good),300(redirects),400(content error),500(server error)

%b - size of content returned to client - optional &#39;%B&#39; - logs &#39;0&#39; instead of &#39;-&#39;

%{Referrer} - who sent you here

%{User-agent} - connecting Browser: IE, Firefox, Chrome, iPhone, Droid, etc.

Note: Apache logs synchronously, which means, you may configure a virtual host to log to separate files simultaneously

###Sample Log Entry##

127.0.0.1 - - [22/Mar/2010:12:02:48 -0400] "GET /manual/en/mod/mod_log_config.html HTTP/1.1" 200 6959 "http://localhost/manual/en/logs.html" "Mozilla/5.0 (X11; U; Linux i686; en; rv:1.9.0.18) Gecko/20080528 Epiphany/2.22"

Note: Errors pertaining to content access (400x), and server errors (500x) will appear in: /var/log/apache2/error.log

Note: 200x errors are typically reflected in the access.log file

###Virtual Hosts###

Features:

1. IP-based - one IP per site

2. Named-based - shared IP address across sites

Tasks:

1. Explore Default Host configuration

<VirtualHost IP[:Port]>

One or more directives

ServerName

DocumentRoot

<Directory *>

</Directory>

</VirtualHost>

2. Define users and setup virtual hosts for those users

Site1 (Name-based VHost):

<VirtualHost *:80>

#One or more directives

ServerName site1.linuxcbt.internal

DocumentRoot /home/site1/wwww

<Directory /home/site1/wwww>

Options -Indexes FollowSymLinks -MultiViews

AllowOverride None

Order allow,deny

allow from all

</Directory>

</VirtualHost>

b. Update DNS to include new site

Repeat for second client: (site2)

Site1 (Name-based VHost):

<VirtualHost *:80>

#One or more directives

ServerName site2.linuxcbt.internal

DocumentRoot /home/site2/wwww

<Directory /home/site2/wwww>

Options -Indexes FollowSymLinks -MultiViews

AllowOverride None

Order allow,deny

allow from all

</Directory>

</VirtualHost>

b. Update DNS to include new site

Note: Apache serves content from the Default Virtual host if the request URI doesn&#39;t match any of the defined virtual hosts

3. Reconfigure Name-based virtual hosts to be IP-based virtual hosts

Note: After VHosts update, be sure to update DNS

###Apache SSL###

Features:

1. Encrypted communique between client & server

2. Confidentiality and integrity of communique

3. Ability to have 3rd-party sign-off (public CA) i.e. Godaddy, Thawte, etc.

4. Ability to self-sign certificates

Tasks:

1. Explore the SSL environment

&#39;ssl-cert&#39; package is required

&#39;/usr/sbin/make-ssl-cert&#39; - generates self-signed certificate - wrapper for &#39;openssl&#39;

&#39;/usr/share/ssl-cert/ssleay.cnf&#39; - template for generating self-signed certs

2. Enable &#39;default-ssl&#39;

2a. symlink &#39;default-ssl&#39; from &#39;sites-available&#39; to &#39;sites-enabled&#39;

2b. symlink &#39;ssl.*&#39; from &#39;mods-available&#39; to &#39;mods-enabled&#39;

Note: Both private and public keys will appear in the same file

2c. Confirm the: /etc/apache2/ports.conf configuration to ensure: &#39;Listen 443&#39; is present

2d. &#39;invoke-rc.d apache2 restart&#39;

2e. Test SSL communications

Note: &#39;_default_:443&#39; SSL Vhost will respond to requests on ALL IPv[4|6] addresses

3. Segment SSL traffic using IP-based virtual hosts

3a. Update: /etc/apache2/ports.conf

3b. Update: /etc/apache2/sites-enabled/default-ssl

4. SSL-enable IP-based Virtual Host: site1.linuxcbt.internal

4a. site1.linuxcbt.internal

4b. &#39;make-ssl-cert /usr/share/ssl-cert/ssleay-site1.cnf /etc/ssl/certs/site1ssl.pem&#39;

4c. &#39;cp /etc/apache2/sites-available/default-ssl /etc/apache2/sites-available/site1-ssl&#39;

4d. Update &#39;/etc/apache2/ports.conf&#39;

4e. &#39;cd /etc/apache2/sites-enabled && ln -s ../sites-available/site1-ssl&#39;

4f. Change SSL port to non-standard: TCP:4443

5. SSL-enable IP-based Virtual Host: site2.linuxcbt.internal

5a. &#39;make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/ssl/private/site2ssl.pem&#39;

5b. &#39;cp /etc/apache2/sites-available/site1-ssl /etc/apache2/sites-available/site2-ssl&#39;

5c. symlink sites-available/site2-ssl to: /etc/apaches2/sites-enabled

5d. updates: /etc/apache2/ports.conf to &#39;Listen 192.168.75.32:443&#39;

###PHP###

Features:

1. Dynamic Web page generation

2. Operates from CLI. i.e. &#39;perl&#39;

Tasks:

1. Explore the default configuration

2. Expose the info page

2a. &#39;<? phpinfo(); ?>&#39; - PHP code with short tags

###Webalizer - Log Analysis###

Features:

1. Common Log Format (CLF) - default for Apache

2. Combined Log Format - Includes CLF plus User_Agent, Referrer

3. FTP

4. Post-processor

5. Yields yearly, monthly, daily and hourly stats

6. May be executed via cron

Tasks:

1. Install &#39;webalizer&#39;

2. Explore package

/usr/bin/webalizer - primary binary

/etc/webalizer/webalizer.conf - primary config

/etc/cron.daily/webalizer - runs daily

/usr/bin/webazolver - symlinked to: /usr/bin/webalizer - invokes webalizer in resolve mode

3. Process log file - default site

3a. modify: /etc/webalizer/webalizer.conf

Note: Typically users/administrators maintain 1 webalizer.conf file per site

4. Execute &#39;webalizer&#39;

4a. &#39;webalizer

5. Setup in cron to auto-run

###Patch Manager###

Features:

1. Self-managing

2. Downloads, by default, security updates

3. References: /etc/apt/sources.list - for reference to: http://security.debian.org

Note: Debian security updates are provided: free-of-charge

4. Can be configured to serve updates internally: via /etc/apt/sources.list

###MySQL###

Features:

1. RDBMS

Tasks:

1. Install MySQL

1a. Forces the installation of the &#39;mysql-client-*&#39; package, plus dependencies and empty packages

Note: Aptitude auto-resolves the latest packages from its list of sources

Note: Default super-user is named: &#39;root&#39; , NOT to be confused with Linux user: &#39;root&#39;

Note: MySQL maintains users internally within the default: &#39;mysql&#39; DB, &#39;users&#39; table.

2. Explore MySQL packages

2a. &#39;/usr/bin/mysql&#39; - primary client, which provides terminal, interactive | non-interactive support

2a1. &#39;mysql -p&#39; - prompts for password

2a2. &#39;mysql -e &#39;command&#39; [database]&#39; - executes the command

Note: MySQL users are defined in the form: user@host. i.e. &#39;root@localhost&#39;

Note: Default Debian MySQL implemenation disables &#39;anonymous access&#39; and enforces a password for the &#39;root&#39; users

2b. &#39;/usr/bin/mysqldump&#39; - backs-up one or more DBs

2c. &#39;/usr/bin/mysqladmin&#39; - start|restart|change password|etc.

2d. &#39;/usr/bin/mysqlimport&#39; - imports data from text files

Note: Each MySQL client reads a hierarchy of configuration files: global & local and CLI-options

3. Define simple database and data set

3a. &#39;create database addressBook;&#39;

3b. &#39; create table contacts (`fName` char(20), `lname` char(20), `phone1` char(20), `email` char(30), PRIMARY KEY (`email`) ); &#39;

3c. &#39; INSERT INTO contacts (fname,lname,phone1,email) VALUES (&#39;Johan&#39;,&#39;Doe&#39;,&#39;888-573-4943&#39;,&#39;john.doe@linuxcbt.com&#39;); &#39;

3d. &#39; INSERT INTO contacts (fname,lname,phone1,email) VALUES (&#39;Jane&#39;,&#39;Doe&#39;,&#39;888-573-4943&#39;,&#39;jane.doe@linuxcbt.com&#39;); &#39;

3e. &#39; UPDATE contacts SET fname=&#39;John&#39; WHERE fname=&#39;Johan&#39;;

3f. &#39;DELETE FROM contacts where fname=&#39;John&#39;; &#39;

###PHPMyAdmin###

Features:

1. De facto Web GUI to administer MySQL

2. Echoes the resultant SQL commands per execution. i.e. click on something and the SQL statement appears. Helps you to learn SQL syntax.

Tasks:

1. Install PHPMyAdmin

2. Explore package contents

###Postfix - SMTP###

Features:

1. Message Transfer Agent

2. Derivative/improvement on SendMail

Tasks:

1. Install Postfix

/usr/sbin/postconf - used to dump/change Postfix configuration

/usr/sbin/postsuper - admin duties on running server

/usr/sbin/sendmail - drop-in replacement for original binary

/usr/lib/postfix/smtp - SMTP client used by Postfix to talk to other SMTP servers

/usr/lib/postfix/smtpd - SMTP server used to receive message and connections

/usr/bin/mailq - enumerates the contents of the mailq

/usr/lib/postfix/master - main master binary, which controls all of sendmail

2. Explore the configuration

/etc/postfix - primary, top-level configuration container

/etc/postfix/main.cf - primary config file

###Aptitude - Sources.list Update###

Features:

1. Ability to reference packages from the file system

Tasks:

1. Mount ISO image permanently and reference it via: /etc/apt/sources.list

1a. &#39;mount -t iso9660 -o loop /home/linuxcbt/Debian_5x/debian-504-i386-DVD-1.iso /home/linuxcbt/Debian_5x/1&#39; - mounts ISO image in target location

1b. Update: /etc/fstab

1c. Update: /etc/apt/sources.list via Synaptic Package Manager, or manually from the shell

1d. Reload the package repository DB using Synaptic Package Manager

###IMAP/POP3 Support###

Features:

1. IMAP - stores message on the server, entirely. i.e. GMAIL, Yahoo, OWA

2. POP3 - used to download messages to client.

3. Mail-retrieval protocols

4. Support for encryption: SSL/TLS

5. Dovecot: supports both mbox and Maildirs

Tasks:

1. Install Dovecot IMAP. Removes existing IMAPD package, by default

2. Explore the contents of Dovecot

/etc/dovceot/dovecot.conf - primary config file

3. Retrieve messages using MUA: IMAPD

4. Install POP3D

5. Disable clear-text mail-retrieval support

5a. /etc/dovecot/dovecot.conf - disable &#39;pop3&#39; & &#39;imap&#39;

5b. &#39;invoke-rc.d dovecot restart&#39; - unbinds clear-text protocols

###SquirrelMail###

Features:

1. Web GUI/Mail User Agent (MUA) for accessing mail via IMAPD - front-end

2. Virtual hosts

3. Modular

Note: To obtain the latest, navigate to: squirrelmail.org

Tasks:

1. Install Squirrelmail

2. Explore configuration

/etc/squirrelmail/apache.conf - primary Apache config file

3. Access & browse SquirrelMail interface

4. Enable IMAP (clear-text)

###GNU Privacy Guard (GPG)###

Features:

1. Implements the OpenPGP standard

2. Provides data encryption services based on PKI (asymmetric encryption)

3. Digital signatures (based on owner&#39;s private key)

4. Auto-compresses content

Tasks:

1. Explore the GPG environment

/usr/bin/gpg - primary binary used to encrypt/decrypt correspondence (files/e-mails/etc.)

1a. &#39; gpg --list-keys &#39; - enumerates public keys on key chain

1b. &#39; gpg --gen-key&#39; - generates PKI pair of keys

1c. &#39; gpg --export &#39; - exports the public key, so that others may encrypt information to us

Note: Repeat the process on the remote user&#39;s side to have 2-way encryption/signature services

Note: Digital signatures prove authenticity because access to the secret/private key of the PKI pair is restricted to the owner and &#39;root&#39;

Note: A passphrase adds an additional level of security to PKI in the event that the PKI pair has been compromised: physically(locally), or remotely

2. Generate usage keys on remote side

2a. &#39;gpg --gen-key&#39; - generate keys as &#39;root&#39;

Note: &#39;gpg --list-secret-keys&#39; - enumerates private key(s) from keychain

3. Sign and encrypt data to ourself

3a. &#39;gpg --encrypt -r pub_key_ID 1000.txt&#39; - generates &#39;1000.txt.gpg&#39; encrypted file

3b. &#39;gpg --decrypt 1000.txt.gpg&#39; - decrypts, if private key is on keychain of current user

3c. &#39;gpg --encrypt -o 1000.txt.pgp -r pub_key_ID 1000.txt&#39; - encrypts with &#39;.pgp&#39; suffix

4. Sign and encrypt with business partner (root@linuxcbtsuse1.linuxcbt.internal)

4a. &#39; exchange public keys&#39;

&#39;gpg --export &#39; - creates binary file

&#39;gpg --import key_file&#39; - imports key file

###Network Mapper (NMap)###

Features:

1. Reconnaissance Scans

2. Set a baseline configuration

3. Compare against the baseline

4. Port scans

5. Host | device detection: i.e. Jetdirect card, Dell box, Apple computer, etc.

6. Service detection: i.e. VSFTPD, SSH and optionally version

7. Multi-target scanning

8. Automation

9. IPv6 scanning

Tasks:

1. Install NMap

2. Explore package | usage

/usr/bin/nmap - primary binary

/usr/share/nmap/nmap-mac-prefixes - host | device detection

/usr/share/nmap/nmap-services - port-to-servicename conversion

3. Run &#39;nmap&#39; in a variety of ways to help tighten our security posture

3a. &#39; nmap -v localhost&#39;

Note: As &#39;root&#39; nmap defaults to &#39;SYN&#39; scans, however, as anyone else, nmap defaults to &#39;TCP Connect&#39; scan.

Note: Usually, &#39;SYN&#39; scans do not alert the application behind the open port, however, &#39;TCP Connect&#39; scans complete the 3-way TCP handshake, alerting the listening application

Note: A scan of the loopback adapter is not indicative of what remote users will see, with some exceptions: i.e. SSH tunnels

3b. &#39;nmap -v 192.168.75.30-32&#39; - scans 3-IPs, .30,.31,.32 for open ports, TCP

3c. &#39;nmap -v -sU 192.168.75.30-32&#39; - scans 3-IPs, for open UDP ports

3d. &#39;nmap -v -sV ...&#39; - performs a service scan, which returns: service names and versions

Note: NMap defaults to TCP scans because the majority of applications are TCP-based

Note: NMap dumps output, by default, to STDOUT, which means, you will lose valuable info. if you don&#39;t route to a log file

3e. &#39;nmap -v -sV -iL filename&#39; - supply host(s) via a file

3f. &#39;nmap -v -oN nmap.scan.log -sV -iL filename&#39; - creates Normal NMap output

3g. &#39;nmap -v -sP -oN nmap.scan.log -iL filename&#39; - performs a quick PING scan

3h. &#39;nmap -v -p 3389 -oN nmap.scan.log -iL filename&#39; - scans TCP:3389 across the subnet

Note: Ensure that centralized NMap host has unfettered access to interesting subnets

3i. &#39;nmap -v -O -oN nmap.scan.log -iL filename&#39; - scans for OS detection

###TCPDump###

Features:

1. Packet capturing of myriad protocols

2. Supports: Berkeley Packet Filters (BPFs)

Tasks:

1. Install TCPDump

/usr/sbin/tcpdump - primary binary

2. Usage examples

2a. &#39;tcpdump -v -i eth0&#39;

&#39;02:08:38.419385 IP (tos 0x0, ttl 64, id 54461, offset 0, flags [DF], proto TCP (6), length 62) macbook1.local.60842 > linuxcbtdeb1.linuxcbt.internal.5900: P, cksum 0x029e (correct), 191:201(10) ack 695980 win 65535 <nop,nop,timestamp 212564549 65206757>

&#39;

2b. &#39;tcpdump -w tcpdump.capture -i eth0&#39; - creates a TCPDump file

2c. &#39;tcpdump -r tcpdump.capture&#39; - reads the previously-created TCPDump file

2d. &#39;tcpdump -c 3 -i eth0 -w tcpdump.capture2&#39; - captures 3 packets and exits

Note: Each packet is represented by a line, but the terminal will invariably wrap each line

2e. &#39;tcpdump -C 1 -w tcpdump.capture3&#39; - captures 1-million bytes then creates a new file

2f. &#39;tcpdump -A -i eth0&#39; - dumps packet payload

2g. &#39;tcpdump -e -i eth0&#39; - dumps layer-2 (MAC) info.

2h. &#39;tcpdump -A -e -i eth0&#39; - dumps payload and MAC info. - layers 2-7

Note: Packet capturing is a linear progression. Latest information is at the bottom of the capture.

2i. &#39;tcpdump -D &#39; - dumps the available interfaces

2n. &#39;tcpdump -n ...&#39; - dumps captures without name resolution

3. Apply BPFs

Note: TCPDump supports 3 Qualifiers:

1. Type - host|net|port

2. Direction - src, dst, src or dst, src and dst

3. Protocol - ip, tcp, udp, icmp, etc.

Note: BPFs support logical Anding and Oring

3a. &#39;tcpdump -i eth0 -w tcpdump.linuxcbtserv1.capture.1 host 192.168.75.111&#39;

3b. &#39;tcpdump -i eth0 -w tcpdump.linuxcbtserv1.capture.2 host 192.168.75.111 and tcp port 21&#39;

Note: BPFs are applicable, for the most part, if a tool is TCPDump-compliant

###WireShark, formerly known as: Ethereal###

Features:

1. Packet Capture & analysis

2. Support for: BPFs (run-time) and Display Filters (post-processing)

Tasks:

1. Install WireShark

/usr/bin/wireshark - primary binary - run as &#39;root&#39;

2. Explore interface

Note: Wireshark defaults to: nanosecond precision, however, TCPDump defaults to: microsecond precision

3. Perform various captures/analysis of clear-text, FTP traffic

Note: Consider deploying centralized sniffers and route files to back-end post-processor running Wireshark.

###Lockdown###

Features:

1. Improve security posture

Tasks:

1. Screensaver set based on inactivity timer

2. Secure your BIOS

2a. Setting a usage password

2b. Disabling removable boot devices: USB, Optical drives

3. Secure the bootloader: GRUB

3a. &#39;grub-md5-crypt&#39; - generates an MD5 password for GRUB: /boot/grub/menu.lst

Note: Consider &#39;dmcrypt&#39; or &#39;eCryptFS&#39; to encrypt the FS, in the event the drive is physically compromised, and/or other measures have been circumvented.

Note: &#39;dmcrypt&#39; requires a password for startup

4. /etc/login.defs - contains defaults for a variety of account variables

Note: Ensure that password encryption algo matches PAM: /etc/pam.d/*

5. Remove &#39;nullok&#39; from: /etc/pam.d/* - if exists

6. Disable superfluous services/daemons:

6a. &#39;netstat -nutlp&#39; - returns listeners for TCP | UDP

Checklist of daemons to disable:

1. samba-swat - INETD controlled

1a. &#39; update-inetd --disable swat&#39; - disables service in INETD

2. imap - TCP:143

2a. &#39;/etc/dovecot/dovecot.conf&#39;

3. ssh - restrict to 1-IP

4. postgres

4a. &#39;update-rc.d -f postgresql-8.3 remove&#39;

5. smbd|nmbd

5a. &#39;update-rc.d -f samba remove && /etc/init.d/samba stop && ps -ef | grep smb&#39;

6. vsftpd

6a. &#39;update-rc.d -f vsftpd remove && /etc/init.d/vsftpd stop && ps -ef | grep vsftpd&#39;

7. tftpd

7a. &#39;update-inetd --disable tftp&#39;

8. Disable &#39;root&#39; access via SSHD

Note: Consult Debian documentation for info on: harden* packages

###IPTables - Firewall###

Features:

1. Built-in firewall

2. Stateful inspection

3. Routing

4. Network Address Translation (NAT)

5. Front-end to the Netfilter Kernel firewall

Tasks:

1. Explore configuration

/sbin/iptables - primary binary to write rules and interact with firewall

/sbin/iptables-save|restore - saves & restores IPv4 rules

/sbin/ip6tables - primary binary "" for IPv6 firewall

/sbin/ip6tables-save|restore - ""

2. Use &#39;iptables&#39;

2a. &#39;iptables -L&#39; - lists the chains in the default &#39;Filter&#39; table

Note: &#39;Filter&#39; table governs traffic: inbound, outbound, and through (routing) your box

Note: There are 3 default chains in the &#39;Filter&#39; table

1. INPUT - traffic sourced from external system destined for your system

2. FORWARD - router - traffic that is sent through your box

3. OUTPUT - Traffic sourced from your system to other systems

Note: There are 3 default tables:

1. NAT

2. Mangle

3. Filter (Default)

2b. Limit inbound traffic to the SMTP server to deny access from Windows server

2b1. &#39;iptables -A INPUT -p tcp --dport 25 -s 192.168.75.105 -j DROP&#39;

3. Use &#39;ip6tables&#39;

Note: Syntax is virtually identically to &#39;iptables*&#39;

4. Write outbound rules

4a. &#39;iptables -A OUTPUT -d 192.168.75.105 -p tcp --dport 3389 -j DROP&#39;

相关文章
最新文章
热点推荐